[Mailman-Users] Possible XSS in Mailman 2.1.4
Ho Yin Au
hya at bluesite.com
Sat Feb 21 23:35:15 CET 2004
Hi,
I think I've stumbled on a possible Cross-Site-Scripting vulnerability
in Mailman 2.1.4. Take a look:
* Set up a new list and configure it with private archives
* Try to view the archives - enter something like <script
language="JavaScript">window.alert(document.cookie)</script> into the
EMail Address box. Click on "Let me in."
On a side note, is it possible for that page to not reveal any sensitive
information such as path and environmental variables?
-Ho Yin
More information about the Mailman-Users
mailing list